oci-build-task icon indicating copy to clipboard operation
oci-build-task copied to clipboard
verified publisher icon concourse

Building using an image from a private repository results in "x509: certificate signed by unknown authority".

Open chriseaton opened this issue 4 years ago • 2 comments

When our docker file specifies an image in a private repo, it causes the oci-build-task to fail. As far I could tell there's no way to specify a custom CA.

ERROR: failed to do request: Head "https://our-private-repo/v2/shared/centos/manifests/latest": x509: certificate signed by unknown authority

chriseaton avatar Dec 31 '21 23:12 chriseaton

Here's a possible workaround, with the downside that you're basically forking the official oci-build-task image and using it in the interim:

  1. Build your own oci-build-task image with a Dockerfile like this to add your ca.crt file to the image, and push to your private registry
FROM docker.io/concourse/oci-build-task:latest

COPY ca.crt /usr/local/share/ca-certificates/

RUN update-ca-certificates
  1. In your pipeline specify your oci-build-task image in place of the official one
...
  - task: build-task-image
    privileged: true
    config:
      platform: linux
      image_resource:
        type: registry-image
        source:
          repository: fir.love.io:3005/amd64/oci-build-task
          # repository: concourse/oci-build-task
          tag: latest
...

CJLove avatar Jan 07 '22 04:01 CJLove

Related, that has a bit cleaner temporary solution that doesn't require making a custom image: https://github.com/concourse/oci-build-task/issues/70#issuecomment-933674965

Looking at the code, however, I believe adding an input for custom certs/ca should be pretty easy.

lrstanley avatar Apr 04 '22 08:04 lrstanley